The biggest cybersecurity risk to US businesses is employee negligence, study says

  • Employee negligence such as accidental loss is the main cause of data breaches, according to a report from Shred-it.
  • Remote workers and external vendors also increase the risk of data breaches, it says.
571492567
Simon Ritzmann/Getty Images

Hackers are no match for human error.

Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.

Over 1,000 small business owners and C-suite executives in the United States were surveyed online in April for the report.

In 2017, data breaches cost companies an average of $3.6 million globally, according to a separate report from the Ponemon Institute.

For smaller businesses especially, that price tag could wipe out the entire firm. For a company of any size, a data breach can also cheapen a company's brand and negatively impact their ability to do work, according to Shred-it.

"The study's findings clearly show that seemingly small habits can pose great security risks," said Shred-it vice president Monu Kalsi.

Basic bad habits 

Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended.

Even taking notes on paper, or leaving papers out on your desk, can have unintended consequences.

"When you use paper to document notes or meeting minutes it raises the risk of you leaving that information behind," said Kalsi. A simple mistake can backfire; earlier this year, a Department of Homeland Security employee left sensitive Super Bowl security documents on a plane.

Remote work

Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach.

Remote work is increasing. Over half of hiring managers agree that remote work is more common and a third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform.

Cybersecurity practices have not yet caught up. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet few businesses have comprehensive off-site policies in place for those workers. Over half of small business owners said they have no policy for remote workers.

In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company.

This is because many businesses don't do a thorough job of managing access when a relationship with an external vendor ends, according to Kalsi.

"There needs to be better governance around these things," he said.

More from Personal Finance
These are the ways student loans stop people from buying a house
Student loan nightmare: Some borrowers have to start over
People with massive student debt hope Trump will let them declare bankruptcy

Bridging the training gap

Many companies have training and policies in place to protect data and teach their employees good cyber practices. But those efforts might not be frequent or prevalent enough to truly protect a company.

"The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption," said Kalsi. Training and awareness should be dynamic and ongoing to foster a company culture of good security practices.

In addition, cybersecurity should extend beyond the office and into the home, especially if a company has remote workers or uses external vendors to do business.

"This isn't just about commercial or business use anymore," said Michael Tanenbaum, executive vice president and the head of the North America cyber practice at Chubb, a global insurance company. "We're trying to make sure that as these trends continue, we aren't just thinking about the commercial end."

"The general assumption that a lot of companies make that if you train an employee once a year they will retain that information is a false assumption" -Monu Kalsi, vice president, Shred-it

What companies can do 

While transforming a company's cybersecurity practices can take months or years, here are some actions that can be set in motion right away.

1. Update the workplace policy. The report suggests a clean desk rule, as well as a chapter of company policy dedicated to remote workers and external vendors.

2. Secure physical access to information. Keep sensitive information locked in desk drawers or in lockers, shred paper documents when necessary and take notes on a computer or laptop.

3. Dispose of old hard drives correctly. "A lot of companies or employees assume that information can be deleted or cleaned on a hard drive, but it's not true. The hard drive has to be destroyed," said Shred-it's Kalsi.

4. Make sure every employee knows whom to call. An employee should feel comfortable reporting a lost or stolen device and do it as quickly as possible. "Communication is number one," said Kalsi.